Let’s talk. I think if we put the proper TLVs up front it might work… I’ll do some digging and get you that data… would be great if it works.
2 Likes
Can someone not just buy said software?
1 Like
yes but its packaged with a product that most if not all of you would probably have no use for, would be too expensive for or absolutely oblivious to 
1 Like
I also assume you don’t hand out the source for said software, when you purchase it and I fell like messing around with IDA or whatever would be more work than working out the commands from the docs
2 Likes
I would if I could you know that but 1 of the software guys may or may not have been let go for asking for help on stackoverflow
3 Likes
Makes sense.
Seriously? Or was it because he disclosed sensitive information in his query? I mean, getting sacked just for asking for help seems like a dumb move by the company… nobody is a perfect coder… unless his question was like “what’s an IDE?” or something just astoundingly dumb… but again, that has more to do with revealing he was a dummy than simply asking a question, right?
1 Like
Nobody codes without reusing somebody else’s code snippets. If he was let go, I’m guessing he divulged confidential company information.
I have been warned about posting things to stack overflow in the past, like preemptively. I was working on a sensitive project and apparently even leaking that I was trying to solve a problem with windows containers kubernetes (incredibly generic and not at all related to the actual project, it was for a build server) the management was worried about giving away that we where using windows (the only related detail) was quite amusing.
Management worry about strange things. But firing sounds like it would have to be a leak or it was an excuse.
1 Like
Yes sensitive data was disclosed in his code snippet.
1 Like
If you’re in any serious company, that is a worry 
I just tested Mifare 1k Gen2 card. It is possible to brick the whole card, or individual sectors on the card.
Here’s the test I did:
- I have a brand new Mifare 1k Gen2 card. It has 16 sectors, key A and key B are both FFFFFFFFFFFF for all the sectors.
- This proxmark command successfully reads the last sector:
hf mf rdsc 15 A FFFFFFFFFFFF - This proxmark command successfully locks/bricks the last sector (access bits for all the blocks in the last sector are set to 7 - noread, nowrite):
hf mf wrbl 63 A FFFFFFFFFFFF FFFFFFFFFFFF00F0FF40FFFFFFFFFFFF
I’m unable to read or write to the last sector after the above command.
Conclusion: I think Mifare Gen2 cards or individual sectors on the card can be bricked. This is just how the technology works.
Amal, maybe your batch of Gen2 chips works differently?
I doubt it… but we need more testing like this… can i send you some gen1 and gen2 cards (i’m pulling chips form cards at the moment) for some more basic testing?
1 Like
I would expect this to be the case for gen2 because that is how access bits are supposed to work. What I’m more interested in is if the sector will brick permanently if the access bits are written incorrectly. In reference to this document;
http://amal.net/wp-content/uploads/2012/11/NFC-Access-Control-for-Mifare-S50.pdf
The original S50 has a funny “inverted bits” thing going on for access bits… you have to set your bits per block, but also provide inverted bits for the same block. If your access bits and inverted bits for any block in the sector don’t match up, then the entire sector is burnt and locked, and the data is no longer accessible.
My primary concern is memory tear events during writing that fudge up the access bits and wreck the sector… will gen2 cards do this? I have no idea… but it’s very possible, and this is the potential danger that I’m most concerned about with an implant.
I also want to verify you can totally fuck up sectors on a gen1 card in this same way, but recover them through a back door write. Doing either of these tests will require the ability to manually write keys and access bits to the sector trailer without using the proxmark’s “I’ll do it for you” commands… I have done so with an ACR122U before when I was digging into this stuff, and I’m sure there must be a way to do it with a proxmark3… but I have no time to dive into that world again right now.
2 Likes
Here are some close-ups of the “destructive testing”… though it’s in pretty bad shape, the polymer layer is actually still intact as well as the antenna!
10 Likes
Incidentally Saturn9, the read range when you approach your ACR122U reader to your forearm is surprisingly poor: with an antenna coil that size, I expected something like half the range of a full size credit card tag - so maybe an inch or more.
8 mm is what I get with the same reader and my conventional NFC glass implant (not DT). Is that kind of performance typical of NFC Flex implants? Because going to the trouble of implanting something that size and not getting any real read range benefit would be a bit disheartening, to say the least.
Completely depends on the reader. The ACR122U has a great antenna, so it couples really well from a variety of orientations, but it doesn’t have very high power output to couple over great distances. That’s also the primary benefit of a flex implant, it couples well from different angles so you don’t have to be finicky about finding the sweet spot.
With HF implants, no matter what coil shape or size, you’re not likely to get more than 3cm of read range. Add to that the attenuation introduced by skin and (in my case) large blood vessels and the range diminishes a bit more. Communicating via magnetic field is inherently a short range endeavor.
2 Likes
Yes, but I’m only considering read ranges of different transponders with the same reader in ideal conditions. So the particular reader and orientation doesn’t matter.
The ACR122U does read credit cards with the right shape and size coils from a good 2 inches away. A Flex also has the right shape coil, just not the right size. Hence my expecting it to yield maybe half of that.
I have a small coin-sized Mifare Ultralight that the ACR122U reads over an inch away when I put it inside my mouth against the inside of my cheek. I sort of thought the Flex would yield a similar read range. Half an inch at worse. That’s why I was very surprised to see how close you had to bring your reader do your arm.
Well, that’s the other thing: in your video, you seemed to have to hit exactly the right spot to get it to read. It doesn’t appear to be very forgiving. But then videos have a knack for showing a distorted version of reality. Do you reckon your Flex reads more easily than your glass implant?
Out of interest, why? As in why is read range the main concern, I would think it’s easier to get close enough to a reader than to find the right angle in day to day use.
1 Like
Oh yeah, it’s so much easier to read. If I had to position my phone precisely on the sweet spot of my NExT to unlock it every time I would pull my hair out. To read my flexDF reliably I just need to hover my phone a few mm over my skin in a wide range of orientations and I’m good. I don’t know if I can recommend this install location, though. It’s kinda tight